Python: Documentation - WinSystemShell

WinSystemShell (version 0.0.1)

A local privilege escalation utility that allows elevating from an
administrator context to the SYSTEM account on Windows to perform
high-privilege operations.

Classes

_ctypes.Structure(_ctypes._CData)

INPUT_RECORD
KEY_EVENT_RECORD
OVERLAPPED

builtins.object

PipeClient

class INPUT_RECORD(_ctypes.Structure)

Represents a console input record.

Method resolution order:: INPUT_RECORD; _ctypes.Structure; _ctypes._CData; builtins.object

Data descriptors defined here:

Event

EventType

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class KEY_EVENT_RECORD(_ctypes.Structure)

Represents a key event in the Windows console input.

Method resolution order:: KEY_EVENT_RECORD; _ctypes.Structure; _ctypes._CData; builtins.object

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

bKeyDown

dwControlKeyState

uChar

wRepeatCount

wVirtualKeyCode

wVirtualScanCode

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class OVERLAPPED(_ctypes.Structure)

Represents the Windows OVERLAPPED structure for asynchronous I/O.

Method resolution order:: OVERLAPPED; _ctypes.Structure; _ctypes._CData; builtins.object

Data descriptors defined here:

Internal

InternalHigh

Offset

OffsetHigh

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

hEvent

Methods inherited from _ctypes.Structure:

__buffer__(self, flags, /): Return a buffer object that exposes the underlying memory of the object.

__init__(self, /, *args, **kwargs): Initialize self. See help(type(self)) for accurate signature.

Static methods inherited from _ctypes.Structure:

__new__(*args, **kwargs) class method of _ctypes.Structure: Create and return a new object. See help(type) for accurate signature.

Methods inherited from _ctypes._CData:

__ctypes_from_outparam__(self, /): default __ctypes_from_outparam__ method returns self.

__hash__(self, /): Return hash(self).

__reduce__(self, /): Helper for pickle.

__setstate__(self, dict, data, /)

class PipeClient(builtins.object)

PipeClient(
    executable: str = 'C:\\Windows\\System32\\cmd.exe',
    server_path: str = 'SystemShellServer.py',
    schtasks: str = None,
    pipein: str = None,
    pipeout: str = None
)

Client for communicating with a server via named pipes.

Methods defined here:

__init__( self, executable: str = 'C:\\Windows\\System32\\cmd.exe', server_path: str = 'SystemShellServer.py', schtasks: str = None, pipein: str = None, pipeout: str = None ): Initialize pipes and console handles, and start the server process.

run(self) -> int: Run the main loop reading from the pipe and console.

start_pipe_read(self) -> Tuple[OVERLAPPED, bytes]: Start an asynchronous read from the output pipe.

Data descriptors defined here:

__dict__: dictionary for instance variables

__weakref__: list of weak references to the object

Data and other attributes defined here:

ERROR_BROKEN_PIPE = 109

ERROR_IO_PENDING = 997

FILE_FLAG_OVERLAPPED = 1073741824

GENERIC_READ = 2147483648

GENERIC_WRITE = 1073741824

KEY_EVENT = 1

OPEN_EXISTING = 3

STD_INPUT_HANDLE = -10

STD_OUTPUT_HANDLE = -11

WAIT_OBJECT_0 = 0

Functions

__annotate__(format, /)

byref(obj, offset=0, /): Return a pointer lookalike to a C instance, only usable as function argument.

existing_file(path: str) -> str: Validate that the given path points to an existing file.

Args:
    path: Path to the file.

Returns:
    The validated file path.

Raises:
    ArgumentTypeError: If the file does not exist.

exit(status=None, /): Exit the interpreter by raising SystemExit(status).

If the status is omitted or None, it defaults to zero (i.e., success).
If the status is an integer, it will be used as the system exit status.
If it is another kind of object, it will be printed and the system
exit status will be one (i.e., failure).

isfile = _path_isfile(path): Test whether a path is a regular file

main() -> int: The main function to start the script from the command line.

parse_args() -> Namespace: Parse and validate command-line arguments.

python WinSystemShell.py --executable C:\Windows\System32\cmd.exe --schtasks "SystemRunOnce.exe" --server-path C:\temp\server.py --pipein shellpipein --pipeout shellpipeout

Returns:
    Namespace containing parsed arguments:
        executable: Path to an existing executable file.
        schtasks: Path to SystemRunOnce.exe, if not defined the default schtasks was used.
        server_path: Windows path to the server executable.
        pipein: Name of the input named pipe.
        pipeout: Name of the output named pipe.

sleep(object, /): sleep(seconds)

Delay execution for a given number of seconds. The argument may be
a floating-point number for subsecond precision.

valid_pipe_name(name: str) -> str: Validate a Windows named pipe name.

Only allows alphanumeric characters, dots, underscores,
and hyphens. The full pipe path (\\.\pipe\) is not required.

Args:
    name: Pipe name.

Returns:
    The validated pipe name.

Raises:
    ArgumentTypeError: If the pipe name contains invalid characters.

valid_windows_path(path: str) -> str: Validate that the provided string looks like a valid Windows file path.

This performs a basic validation by checking that the path starts
with a drive letter followed by a backslash (e.g., C:\).

Args:
    path: Windows file path.

Returns:
    The validated path.

Raises:
    ArgumentTypeError: If the path does not match the expected format.

Data
		CMD = r'C:\Windows\System32\cmd.exe' PIPEDIR = r'\\.\pipe\' SERVER_PATH = 'SystemShellServer.py' Tuple = typing.Tuple __author_email__ = 'mauricelambert434@gmail.com' __conditional_annotations__ = {0, 1, 2} __copyright__ = '\nWinSystemShell Copyright (C) 2026 Maurice Lam...ome to redistribute it\nunder certain conditions.\n' __description__ = '\nA local privilege escalation utility that allow...on Windows to perform\nhigh-privilege operations.\n' __license__ = 'GPL-3.0 License' __maintainer__ = 'Maurice Lambert' __maintainer_email__ = 'mauricelambert434@gmail.com' __url__ = 'https://github.com/mauricelambert/WinSystemShell' ascii_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' copyright = '\nWinSystemShell Copyright (C) 2026 Maurice Lam...ome to redistribute it\nunder certain conditions.\n' digits = '0123456789' executable = r'C:\Program Files\Python\python.exe' license = 'GPL-3.0 License' stdout = <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>

Author
		Maurice Lambert